The Hacker News — Cyber Security, Hacking, Technology News

Facebook bounty hunter Laxman Muthiyah from India has recently discovered his third bug of this year in the widely popular social network website that just made a new record by touching 1 Billion users in a single day.

At the beginning of the year, Laxman discovered a serious flaw in Facebook graphs that allowed him to view or probably delete others photo album on Facebook, even without having authentication.

Just after a month, Laxman uncovered another critical vulnerability in the social network platform that resided in the Facebook Photo Sync feature, that automatically uploads photos from your mobile device to a private Facebook album, which isn’t visible to any of your Facebook friends or other Facebook users.

However, the flaw discovered by Laxman could allowed any third-party app to access and steal your personal photographs from the hidden Facebook Photo Sync album.

Hacking Any Facebook Page

Now, the latest bug in Laxman's list could allow attackers to take over control of your Facebook pages.

This time Laxman has found an issue with the "Facebook business pages" that are not specific to a single user account, but instead represent a business and are usually managed by a number of users.

However, Laxman could allow third-party apps to take complete control of a Facebook business page with limited permissions, possibly making the victim permanently lose administrator access to the page.

Here's How:

Third party Facebook applications are capable of performing all sets of operations, including post status on your behalf, publishing photos, and other tasks, but Facebook doesn't allow them to add or modify page admin roles.

Facebook allows a page administrator to assign different roles to different people in the organisation through manage_pages, a special access permission requested by third-party apps.

However, according to Laxman, an attacker can use a simple string of requests in an attempt to make himself as admin of the particular Facebook page.

The photos that you have synced from your phone are automatically uploaded in the background to a private Facebook album, which is not visible to any of your Facebook friends or other Facebook users. However, you may can choose then to share photos from the album on your Facebook timeline or send them as a message to a friend.

It's something that reminds me of "The Fappenings" and "The Snappening" -- in which nude and personal photographs of top celebrities were leaked due to a security flaw in Apple's iCloud file storage service and unofficial Snapchat messaging service app, respectively.

In a blog post published today, Laxman explained that the vulnerability resides in the privilege mechanism that which applications are allowed to access sync photos using vaultimages API.

"The vulnerable part is, it just checks the owner of the access token and not the application which is making the request. So it allows any application with user_photos permission to read your mobile photos," Laxman wrote in a blog post.

Technically, Synced private photo album should be accessible by only Facebook's official app, but the vulnerability allows any 3rd party apps to get permission to read your personal synced photos.

Laxman previously disclosed a vulnerability in Facebook Graph API mechanism that allowed him to delete any photo album on Facebook owned by any user, any page or any group.

HOW TO DISABLE AUTO-SYNC

Though, Facebook has patched the vulnerability reported by Laxman and rewarded him with $10,000 under it’s bug bounty program, Facebook users are advised to turn off Facebook Photo Sync feature just to be on the safer side.

In order to do so, just go to Facebook mobile app menu, scroll down and select Account > App Settings > Sync Photos, then Choose 'Don't sync my photos.'

A Serious vulnerability in Facebook has recently been reported that could allow anyone to delete your complete Facebook photo album without having authentication.

Security Researcher Laxman Muthiyah told The Hacker News that the vulnerability actually resides in Facebook Graph API mechanism, which allows "a hacker to delete any photo album on Facebook. Any photo album owned by an user or a page or a group could be deleted."

DELETING FACEBOOK PHOTO ALBUMS

According to Facebook developers documentation, its not possible to delete albums using the Graph API, but Indian security researcher has found a way to delete not just his own, but also others Facebook photo albums within few seconds.

"I decided to try it with Facebook for mobile access token because we can see delete option for all photo albums in Facebook mobile application isn't it? Yeah and also it uses the same Graph API," he said.

In general, Facebook Graph API requires an access token to read or write users data, which gives limited access to an app only. However, Laxmandiscovered that his own "access token" generated for mobile version of Facebook could be exploited to remove any photo albums posted by any Facebook User.

In order to delete a photo album from victim’s Facebook account, the attacker only needs to send a HTTP-based Graph API request with victim’s photo album ID and attacker’s own access token generated for ‘Facebook for android’ app.